The company has been working on a similar tool to detect Spectre vulnerability attacks.

Though free, Blacksmith is not open source. SentinelOne decided to expedite its development in-house to save time, said Raj Rajamani, vice president of project management.

The company has made the tool available to everyone for free in the hope of securing Linux systems while reliable patches are developed, he told LinuxInsider.

The Meltdown vulnerability affects Intel chips and Linux-based systems. A similar design flaw, Spectre, affects AMD and ARM chips. No comprehensive solutions currently are available for either flaw.

Meltdown is a design flaw in all Intel chips produced in the last decade. It creates a vulnerability that puts Linux, Windows and macOS-powered computers at risk. The flaw is in the kernel that controls the chip performance that allows commonly used programs to access the contents and layout of a computer’s protected kernel memory areas.

“The inherent complexities of the issue are delaying effective fixes,” he told LinuxInsider. “With that in mind, having access to a free, effective tool for spotting Meltdown exploits could be valuable for many IT organizations and businesses, especially in the short term.”

Research Initiative

The tool goes beyond all offerings available today, some of which just state if a device is exposed or not, noted Rajamini.

It took Danker and fellow researchers several weeks to ready the tool for release. It required gathering data from chip makers, industry partners and Microsoft.

When he reviewed the data about the vulnerabilities, Danker realized that researchers could use a Linux feature that already monitored the kinds of activity involved with incoming traffic during an attack. Company officials have credited Danker with being largley responsible for developing the tool.

Linux in Crosshairs

Two key factors influenced SentinelOne to prioritize the Linux version of the tool. Linux is very susceptible to such attacks, with no comprehensive solution available. Also, Linux is the preferred OS of the world’s top supercomputers. That makes Linux a high-value target for attackers.

Those reasons made it clear that it was critical to help secure Linux environments as quickly and effectively as possible, said Migo Kedem, SentinelOne’s director of product management.

“Some people are hesitant to apply patches without knowing for sure that they are being attacked,” he told LinuxInsider. However, Blacksmith “lets admins run it and then decide what level of mitigation is best for their purposes.”

Stopgap Measure

The Meltdown vulnerability leaves enterprises with two options: patch immediately or delay while testing. The first option carries the risk of system-wide impact. The second option leaves the system exposed to attack while patches are tested against the company’s full stack of software applications.

Either way, until an industry-wide solution to close the vulnerabilities is found, patches do not yet exist to ensure that endpoints are secure. Many remain unprotected, even as attackers may be working to weaponize the vulnerabilities. Linux-based systems so far have no comprehensive protection solution, according to SentinelOne.

“The time crunch forced us to eliminate including any kind of mitigation options. Our choice was to wait until we could provide a solution or give back to the community a detection tool rapidly,” said SentinelOne’s Kedem.

How It Works

The Blacksmith tool leverages the performance counting feature on modern chipsets. This lets Blacksmith monitor processes to detect malicious caching behavior. The Meltdown vulnerability generates these patterns during exploitation, according to Dankner.

Blacksmith reports exploitation attempts it detects to Syslog locally or sends the report by email or remote Syslog server functions, he said, which allows each admin to take individual action to clean up the exploitation.

Some computer systems may suffer performance hits from the patches. That is one reason IT organizations and their employers may decide to resist or delay implementing patches for their systems, said King. Also, there is an apparent rarity of actual or successful exploits.

“For organizations that choose such a path,” he said, “SentinelOne’s Blacksmith should provide a way for them to remain safer than they would be otherwise.”

Jack M. Germain has been an ECT News Network reporter since 2003. His main areas of focus are enterprise IT, Linux and open source technologies. He has written numerous reviews of Linux distros and other open source software.
Email Jack.